Google pays $40K to 'Pinkie Pie' for partial hack of Chrome OS
$3.14M Pwnium contest gets one submission
Computerworld - Google today said it had paid a researcher $40,000 for a partial exploit of Chrome OS at its Pwnium 3 hacking contest two weeks ago.
The researcher, known as "Pinkie Pie," was the only participant who submitted an exploit during the challenge Google ran March 7 at CanSecWest, the Canadian security conference which also hosted the eighth-annual Pwn2Own contest.
Two others had been working on Chrome OS exploits for Pwnium, said Google, but neither wrapped up in time, even after the contest deadline was extended.
According to Chris Evans, an engineer with the Chrome security team who announced the award on the Chromium blog, Pinkie Pie submitted a "plausible bug chain involving video parsing, a Linux kernel bug and a config file error" in Chrome OS, Google's browser-based operating system.
Pinkie Pie is no stranger to Google's hacking contests.
Last year, he took home $120,000 from the first two Pwniun contests, winning $60,000 in March 2012 after chaining a half-dozen vulnerabilities to bring down Google's Chrome, and another $60,000 in October with an exploit of the browser at the second Pwnium, held in Kuala Lumpur, Malaysia.
Google patched the two vulnerabilities disclosed by Pinkie Pie Friday in an update to Chrome OS. As is Google's practice, it has barred public access to the technical details of those bugs.
Pwnium 3 had attracted attention for its large awards -- up to $150,000 for each hack -- the $3.14 million Google committed to spending if necessary, and the focus on Chrome OS, which powers notebooks such as the $249 Samsung Chromebook and Google's own $1,299 Chromebook Pixel.
It was the first Google-sponsored contest to shift the target from Chrome the browser to Chrome OS.
Google was able to change the focus because the search giant agreed to co-sponsor Pwn2Own, which in turn offered top dollar -- $100,000 -- to the first Chrome hack. A two-man team from MWR InfoSecurity broke into Chrome 25 on Windows 7 by exploiting a pair of "zero-day," or unpatched, vulnerabilities in the browser and operating system.
The MWR team included Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has his own Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, Internet Explorer 8 (IE8) and Apple's Safari.
Google patched the Nils/Butler Chrome bug last Thursday, about 24 hours after the company's security team received the vulnerability information and a working exploit. The Windows kernel flaw they also used in their attack was passed along to Microsoft for analysis and patching.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Accelerating Network Convergence in Virtualized and Cloud Data Centers Adopting a converged networking strategy enables organizations to traffic server and storage I/O workloads on consolidated data throughput channels. Intelligent software helps optimize...
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts